SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Logout Detection

During a scan, Netsparker clicks all links and submits all forms. Sometimes, this means the session may be terminated (and therefore logged out) during an authenticated scan. However, after logging out, Netsparker must continue to scan the entire website, including the areas usually only available to users after logging in.

Before starting a scan, you must verify form authentication by providing Netsparker with information on which pages required logins.

In order to teach Netsparker how to identify these pages, the Logout Detection feature is employed during authentication verification.

There are two types of logout detection pattern that Netsparker automatically identifies:

  • Redirect-based logout detection
  • Keyword-based logout detection

Netsparker can use either of these to determine the status of a session. However, in some cases, you may wish to configure them manually.

For further information, see Logout Problems.

Configuring Redirect-Based Logout Detection

Many websites redirect users back to the login form page when a restricted page is requested anonymously without a valid session. If your website does this, you must specify the URL to which users are redirected when they try to access a password protected page without a valid session, and Netsparker will detect a Redirect-based logout.

  • To do this, Netsparker makes an anonymous request to a login required URL and identifies a Redirect-based logout if an HTTP 30x redirect response is detected. Netsparker simply uses the last URL that the form authentication simulation requested as the login required URL. (For example, the form authentication simulation may use a URL such as http://mysite.com/Dashboard/.)
  • You can also use wildcards in the URL. For example, if your web application adds a random ID in the URL when accessing the login page, you can use the following URL with a wildcard:
https://www.example.com/login.aspx?path=*

How to Configure Redirect-Based Logout Detection in Netsparker Enterprise

  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Scans, then New Scan.
  3. In the Scan Options section, select the Form Authentication tab. The Form Authentication fields are displayed.
  4. Enable the Form Authentication checkbox.
  5. In the Login Form URL field, enter the URL.
  6. Click New Persona.
  7. Complete the Username and Password fields.

  1. Click Verify Login & Logout. The verification operation will start.

  1. When the process is complete, the Login Simulation/Login Detection sections will be displayed side by side and populated.

How to Configure Redirect-Based Logout Detection in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the main tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. In the dialog Options menu, in the Authentication tab, click Form. The Form Authentication settings are displayed.
  4. Tick the Enabled checkbox. The Form Authentication fields are enabled.
  5. In the Login Form URL field, enter the URL: [http://aspnet.testsparker.com/administrator/?r=/Dashboard/]
  6. In the Personas section, under Username, enter your username. [alan@turing.com]
  7. In the Personas section, under Password, enter your password. [theturingtest]

  1. Click Verify Login & Logout. The Verify Form Authentication process will start.

  1. When the process is complete, the Login Simulation/Logout Detection sections will be displayed side by side and populated.

  1. If required, click on the URL in help blue help text box.

The Login Required URL field is displayed. Re-enter the URL, and click Detect logout using this URL. In most cases, you do not need to change the Login Required URL as Netsparker successfully guesses it. But, in case it is wrong, you have the option to change it and redo the logout detection.

  1. In the blue help text box, click the Redirect Based link. The configuration is displayed.

  1. In the Verify Form Authentication, click OK.

Configuring Keyword-Based Logout Detection

Some websites do not issue a redirect when an anonymous request to a login required URL is sent, or when the identified login required URL displays a page that is very similar to the authenticated page. In such cases, Netsparker will detect and use a Keyword-based logout. This type of logout detection identifies a logged out session by searching for specific keywords in the HTTP responses. Therefore, if all of the specified keywords are found in a response, Netsparker determines that the session is currently logged out, or has been invalidated.

When using this method, the scanner will look for specific keywords in the HTTP responses. You can specify as many keywords as you want in this list. Netsparker has to match them ALL in an HTTP response to confirm that a session has been terminated. You can also use regular expressions in the keywords. If you do, check the Is Regex? checkbox next to the keyword pattern.

How to Configure Keyword-Based Logout Detection in Netsparker Enterprise

  1. Log in to Netsparker Enterprise.
  2. Follow steps 2 to 9 in How to Configure Redirect-Based Logout Detection in Netsparker Enterprise.

  1. Click New Keyword to specify as many keywords as required.

  1. Click OK if complete, or Reverify logout settings to configure again.

How to Configure Keyword-Based Logout Detection in Netsparker Standard

  1. Open Netsparker Standard.
  2. Follow steps 2 to 10 in How to Configure Redirect-Based Logout Detection in Netsparker Standard.
  3. In the blue help text box, click the Redirect Based link. The configuration is displayed.

  1. Enable RegEx for those keywords required.

  1. In the Verify Form Authentication dialog, click OK.

Configuring Authentication for Non-Supported Login Forms

If you want to configure authentication for non-supported login forms, you can write and upload custom scripts to Netsparker Enterprise.

For further information, see Custom Scripts for Form Authentication in Netsparker.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO